Some lines in my exim mainlog

N

NSteffens

Verified User
Joined
Jan 20, 2006
Messages
19
Location
the Netherlands
I'm seeing a few (3 now) of these in my exim mainlog file.

What part is saying 'cancelled by system filter:' ?

I don't want my server trying to relay through other servers... Anything I can do about it?

2006-12-31 10:00:16 1H0wYB-0004UK-5d <= [email protected] H=p3093-ipbfp201sizuokaden.shizuoka.ocn.ne.jp [124.96.243.93] P=xxxx S=24796 [email protected] T="Happy New Year!" from <[email protected]> for [email protected]
2006-12-31 10:00:16 1H0wYB-0004UK-5d cancelled by system filter: This message has been rejected because it has\na potentially executable attachment\n greeting card.exe\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
2006-12-31 10:00:16 1H0wYC-0004UQ-2B <= <> R=1H0wYB-0004UK-5d U=mail P=xxx S=25833 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2006-12-31 10:00:16 1H0wYB-0004UK-5d Completed
2006-12-31 10:00:18 1H0wYC-0004UQ-2B ** [email protected] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail dot adhost dot com [216.211.128.3]: 554 5.7.1 <[email protected]>: Relay access denied
2006-12-31 10:00:18 1H0wYC-0004UQ-2B Frozen (delivery error message)
 
NSteffens said:
I'm seeing a few (3 now) of these in my exim mainlog file.

What part is saying 'cancelled by system filter:' ?
Click to expand...
Your server is adding that because you're filtering out the attachment it contains.
I don't want my server trying to relay through other servers...
Click to expand...
It's not relaying the message.
Anything I can do about it?
Click to expand...
Okay, let's go through these lines in thg
e log to explain what's happening; treat the following as a lesson in how to read log entries :) :
2006-12-31 10:00:16 1H0wYB-0004UK-5d <= [email protected] H=p3093-ipbfp201sizuokaden.shizuoka.ocn.ne.jp [124.96.243.93] P=xxxx S=24796 [email protected] T="Happy New Year!" from <[email protected]> for [email protected]
Click to expand...
A server at IP# 124.96.243.93, identifying itself as p3093-ipbfp201sizuokaden.shizuoka.ocn.ne.jp in the, has sent you an email it says is from [email protected]. Your server has accepted the message.
2006-12-31 10:00:16 1H0wYB-0004UK-5d cancelled by system filter: This message has been rejected because it has\na potentially executable attachment\n greeting card.exe\nThis form of attachment has been used by\nrecent viruses or other malware.\nIf you meant to send this file then please\npackage it up as a zip file and resend it.
Click to expand...
The exim system filter (a part of exim installed by DirectAdmin) has determined that it includes a potentially executable attachment.
2006-12-31 10:00:16 1H0wYC-0004UQ-2B <= <> R=1H0wYB-0004UK-5d U=mail P=xxx S=25833 T="Mail delivery failed: returning message to sender" from <> for [email protected]
Click to expand...
Since it failed the filter, your server is trying to send it back to the sender, [email protected], under a new message id, -2B. The -5d in this line is actually a reference to what's being returned.
2006-12-31 10:00:16 1H0wYB-0004UK-5d Completed
Click to expand...
Message -5d is now complete, a return attempt was made in -2B.
2006-12-31 10:00:18 1H0wYC-0004UQ-2B ** [email protected] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail dot adhost dot com [216.211.128.3]: 554 5.7.1 <[email protected]>: Relay access denied
Click to expand...
Message 2B was refused by the receiving server as there was no such address there (it was probably forged by the original spammer.
2006-12-31 10:00:18 1H0wYC-0004UQ-2B Frozen (delivery error message)
Click to expand...
Message -2B was frozen in the queue for administrator assistance; if the administrator doesn't look at it within several days, it'll be deleted from the queue.

You've brought up an interesting point ... the system filter sends back emails to addresses which may be forged :( . In other words, it may be a possible source of collateral spam.

I've never looked at the system filter before, I'm going to ask DA staff to look into this with me.

Jeff
 
That's why you should deny at smtp time and not relay.
If you were used clamav it would be reject at data time, before end of connection, making a legal reject.
Seems the system_filter rejected this mail which stay frozen because it was a forged mail.
 
Re: Re: Some lines in my exim mainlog

jlasman said:
You've brought up an interesting point ... the system filter sends back emails to addresses which may be forged :( . In other words, it may be a possible source of collateral spam.

I've never looked at the system filter before, I'm going to ask DA staff to look into this with me.

Jeff [/B]
Click to expand...

That is indeed what I meant with 'I don't want my server to try to relay through other servers'.

If I understand xemaps it wouldn't relay (send back the message) any more when clamav is installed, which I will do when I start using Spamblocker 3.

Thanks for the log read lesson! very helpfull!
 
You must log in or register to reply here.
Back
Top